Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion
Jump to solution

Policy Installation Stages

Can someone describe what exactly status "Finalizing Installation" referring to?

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

I reached out to the Install Policy experts and got this out:

The “Finalizing Installation” phase is when we update the log server with the resolved objects, so that logs will show Check Point objects rather than IP’s, ports etc.

Technically, by the time you see "Finalizing...", the policy is already applied on your gateway. This is only a completing step for the sake of logs data.

Few things that I'd like to point out:

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole

One word which we no longer use in R80 is "copy". Things are pointed to, not duplicated. The Installation History is simply references revision ID's which were sent to a Gateway. I know that when we sell R80 Management we start with the things which are easier to explain (multi-admins, publish mode, locks) but I am hoping with this community we'll be able to discuss the hidden architectural benefits in more detail.

View solution in original post

20 Replies
EdesLC
Collaborator

Hi Vladimir, take a look at this guide, it is very helpful to understand how policy installation works.

sk101226: Policy installation flow process | 

AND

http://dl3.checkpoint.com/paid/0b/How-To-Troubleshoot-Policy-Installation-Issues.pdf?HashKey=1516024... 

Thanks,

Edes Leandro Cardoso

Vladimir
Champion
Champion

Edes,

Thank you for comprehensive information.  It does not, however, answer the question of what is "finalizing installation" stage in R80.X actually does.

The status of the installation on individual gateways changes to "Succeeded", long before "Finalizing Installation" 99% turns to "Completed".

Something happening in that window that takes fairly long time.

0 Kudos
Timothy_Hall
Legend Legend
Legend

My guess is that the "rematch" of connections is occurring at 99% which can certainly take a moment to complete on a busy firewall.  This setting is located on the gateway object under Other...Connection Persistence.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion

Thanks Tim. It makes sense, but I've seen it taking a while in my lab environment as well as in production at different clients. In production this is likely the case, but in the lab I would expect this to happen almost instantaneously, but I have just timed it and it took 45 seconds on the unit with hardly any connections:

So it may be something different.

0 Kudos
EdesLC
Collaborator

It is helpful to understand how is the flow.

I guess that this step "Finalizing" is related with "cpd waits for fw_fetchlocal to complete the process and then informs the Management server of the command's status (installation succeeded or failed)."

Thanks

0 Kudos
Vladimir
Champion
Champion

Do not think so: the effects of the policy installation are already visible when per-gateway status is "Succeeded" but "Finalizing Installation" is at 99%.

It may just be a communication lag or some-kind of commit stage on the management server acknowledging the success of the installation on the gateways: i.e. query gateway to confirm that there were no errors loading the policy before completing the process. 

0 Kudos
EdesLC
Collaborator

I got it, If you run a Policy Installation Debug to try to see something into the logs? 

Maybe you can see where it is getting longer time and try figure it out.

 

How to debug policy installation on R80.x Security Management Server / Multi-Domain Security Managem... 

Thanks,

0 Kudos
rajendra_bandil
Explorer

Hi Edes,

                  I am not able to view the solution mentioned in this URL. Please guide me how to get the access.

How to debug policy installation on R80.x Security Management Server / Multi-Domain Security Managem...

Regards

Rajendra

0 Kudos
EdesLC
Collaborator

Hi, how are you? I hope good.

I am able to open this link with no problem. Try to search for this sk112111.

0 Kudos
rajendra_bandil
Explorer

Hi Edes,

             I am fine.Thank you for the information

0 Kudos
PhoneBoy
Admin
Admin

This SK requires "Advanced" access, which anyone with a support agreement in place should be able to access.

rajendra_bandil
Explorer

Ya,Thank you Dameon

0 Kudos
pattymcpherson
Explorer

When installing a policy on clusterXL gateways,   does the management server send the policy via the management interfaces of the Gateways or does is get send to the ClusterXL IP Address (VIP)?

 

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole?  Would make sense that the SMS would have to wait for the firewall to acknowledge the atomic load (fw stat would show the firewall has applied the new policy) at which point the SMS would have to do some heavy database operations.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Vladimir
Champion
Champion

I suspect that you are correct. It would be consistent with the observed behavior.

Would be nice to get CP to chime-in on this to confirm.

0 Kudos
Tomer_Sole
Mentor
Mentor

I reached out to the Install Policy experts and got this out:

The “Finalizing Installation” phase is when we update the log server with the resolved objects, so that logs will show Check Point objects rather than IP’s, ports etc.

Technically, by the time you see "Finalizing...", the policy is already applied on your gateway. This is only a completing step for the sake of logs data.

Few things that I'd like to point out:

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole

One word which we no longer use in R80 is "copy". Things are pointed to, not duplicated. The Installation History is simply references revision ID's which were sent to a Gateway. I know that when we sell R80 Management we start with the things which are easier to explain (multi-admins, publish mode, locks) but I am hoping with this community we'll be able to discuss the hidden architectural benefits in more detail.

Vladimir
Champion
Champion

Thank you Tomer!

Nice to get a definitive answer Smiley Happy

0 Kudos
MikaelJohnsson
Contributor

@Tomer_Sole  Do you know (or can you check) if this procedure has changed in R80.20?

I have started seeing more and more policy-installations stuck at 99% for a couple of clients.

Some of them hang for hours (or until we have to get the SMS working again and do a cpstop && cpstart).

 

0 Kudos
Heath_Mote
Collaborator

We are seeing this same issue after moving to R80.20 management. I ran a policy install on a cluster just now that took 3 minutes to go to the finalizing stage at 99% and it's still finalizing after 30 minutes. I've attached a screenshot showing the start time and the current time. This management and gateway are located at the same site...

image.png

0 Kudos
Heath_Mote
Collaborator

Creating a new thread since this OP is solved.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events